Security vulnerabilities are among the most critical software defects in existence. As such, they require patches that are correct and quickly deployed. This motivates an automatic patch generation method that emphasizes semantic correctness and wide applicability. To address these challenges, we propose Senx, which uses three novel patch generation techniques to create patches for buffer overflow, integer overflow and bad memory offset vulnerabilities. Senx uses loop cloning and access range analysis to analyze loops involved in these vulnerabilities. For vulnerabilities that span multiple functions, Senx uses symbolic translation to translate symbolic expressions and place them in a function scope where all values are available to create the patch. This enables Senx to patch vulnerabilities with complex loops and interprocedural dependencies that previous semantics-based patch generation systems could not handle.
We have implemented a prototype called Senx using this approach. Our evaluation shows that the patches generated by Senx successfully fix 33 of 42 real-world vulnerabilities from 11 applications including various tools or libraries for manipulating graphics/media files, a programming language interpreter, a relational database engine, a collection of programming tools for creating and managing binary programs, and a collection of basic file, shell, and text manipulation tools. All patches that Senx produces are correct, and Senx identifies cases where its analysis will fall short and instead of producing an incorrect patch that does not fix the vulnerability, correctly aborts patch generation.
-
PublicationThe work on Senx is currently published as a preprint on arXiv.